Pretty Good Privacy

Philip Zimmerman, a software engineer and cryptographic specialist, created a shareware product called Pretty Good Privacy (PGP) in 1991. His goal was to make encryption transparent and ubiquitous. Unfortunately, this was in direct conflict with the U.S. government’s policy against the export of strong cryptography outside the country, so beginning in 1993, customs agents began attempting to discourage Zimmerman’s distribution of his software. Since then, the Federal Government has been progressively relaxing export policies, and some believe they will be eliminated altogether in the future. To help further his ideals, Zimmerman helped form Pretty Good Privacy, Inc. in 1996. The PGP program has since been abosrbed by McAfee

PGP, Inc.’s main product, of course, is the PGP program, which can encrypt and decrypt messages using what the vendor calls “the strongest encryption available to United States civilians.” The software also has a digital signature capability, fulfilling the important tasks of data integrity verification and nonrepudiation. All of this is done in such a way to make encryption as convenient, powerful, and efficient as possible for end-users.

One of the most powerful aspects of PGP is that both functions, encryption and digital signatures, can be used simultaneously, offering privacy and authentication with each message. For example, if Alice wants to send Bob a secure email while guaranteeing it really is from Alice, she could tell PGP to sign and encrypt the message. The program would first sign the message with Alice’s private key, then encrypt it with Bob’s public key. Bob would then have his PGP software do the reverse—decrypt using his private key, then verify the message with Alice’s public key.

While you can use PGP with any application, newer versions are available as plug-ins for Eudora, Outlook, and other popular email packages on the Internet—other vendors also offer their own email software with encryption. As secure email transmissions are essential, such integration will only become more common.

PGP in Practice

PGP in Practice

Inherent to PGP is the issue of distributing keys. For instance, the visual shows Todd Pritsky’s PGP key list, which includes the public keys for Phil Zimmerman. If Todd wants to send an encrypted message to Phil, he uses the appropriate public key to encode the message and only Phil’s private key will decode it. Unfortunately, Todd doesn’t have a key for Alice, nor Bob, so he can’t send them secure email. This begs the question: How do we send encrypted messages to anyone and everyone? We need a public key for each recipient.

This poses a huge management problem. To use PGP with everyone in an organization, let alone the entire planet, requires an immense repository of current public keys. To help ease the distribution of these keys, PGP employs key servers, which can store keys in publicly accessible areas. For instance, Todd created three different keys in 1997, and to make sure everyone on the Internet has the most current, he simply uploads the latest key to a key server housed at MIT. In his email signature, he indicates where to find the public key, so anyone wishing to send him an encoded message can do so once they obtain the key. PGP Keys can also be exported as text, so Todd has placed his key on his web site and can even email the key to anyone who wants it.